helidon icon indicating copy to clipboard operation
helidon copied to clipboard

Published 20 hours ago verified publisher icon helidon-io

Webserver's HttpInitializer does not do full certficate path validation in mTLS

Open gcameo opened this issue 2 years ago • 1 comments

Environment Details

  • Helidon Version: All
  • Helidon SE
  • JDK version: All
  • OS: All
  • Docker version (if applicable):

Problem Description

As user, as part of mutual TLS authentication, we would like to restrict connections based on certificate chain. If the client certificate root certificate is not the same as the root certificate of the server, then we would like to reject the request. This is critical for many new integration scenarios where only trusted parties are allowed to make a connection.

At the moment, Helidon only checks the Common Name (CN) of the client cert for mutual TLS. This is heavily restrictive. This code can be found in

https://github.com/oracle/helidon/blob/76efd2e070e3f3c068a10769ca9d672cc6216a96/webserver/webserver/src/main/java/io/helidon/webserver/HttpInitializer.java#L170

Only the top certificate is even checked.

https://github.com/oracle/helidon/blob/76efd2e070e3f3c068a10769ca9d672cc6216a96/webserver/webserver/src/main/java/io/helidon/webserver/HttpInitializer.java#L237

It will be good for the Helidon user application to also require that the entire certificate chain of the client is validated. This will significantly improve the security capabilities of Helidon.

It will be good to also allow the Helidon User Application to contribute to the path validation process if possible.

if the Helidon User Application can also contribute bespoke logic to the certificate validation logic, such as checking other certificate extension values as part of the validation, it will be excellent. We can now create extensions that contain usernames in the certificate ensuring that certificates are not shared by users, etc.

gcameo avatar May 29 '22 05:05 gcameo

The code you are referring to has nothing to do with certificate path validation. This particular part is just obtaining common name of the client certificate, for it to be accessible via context on the endpoint.

Did you encounter any problem with full certificate path validation in MTls?

Verdent avatar Aug 05 '22 09:08 Verdent

Please, reopen if you find this is valid issue.

Verdent avatar Aug 17 '22 15:08 Verdent